Chimera has usednet user for account discovery.^[2]

Chimera has has usednet user /dom andnet user Administrator to enumerate domain accounts including administrator accounts.^[1][2]

Chimera has used HTTPS for C2 communications.^[2]

Chimera has usedCobalt Strike to encapsulate C2 in DNS traffic.^[2]

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.^[1][2]

Chimera has used custom DLLs for continuous retrieval of data from memory.^[2]

Chimera has usedtype \\c$\Users\\Favorites\Links\Bookmarks bar\Imported From IE*citrix* for bookmark discovery.^[2]

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.^[2]

Chimera has used credential stuffing against victim's remote services to obtain valid accounts.^[2]

Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.^[1][2]

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.^[2]

Chimera has collected documents from the victim's SharePoint.^[2]

Chimera has collected data of interest from network shares.^[2]

Chimera has staged stolen data locally on compromised hosts.^[2]

Chimera has staged stolen data on designated servers in the target environment.^[2]

Chimera hasnltest /domain_trusts to identify domain trust relationships.^[2]

Chimera has harvested data from victim's e-mail including through execution ofwmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst"
copy.^[2]

Chimera has harvested data from remote mailboxes including through execution of\\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.^[2]

Chimera has usedCobalt Strike C2 beacons for data exfiltration.^[2]

Chimera has exfiltrated stolen data to OneDrive accounts.^[2]

Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.^[1][2]

Chimera has utilized multiple commands to identify data of interest in file and directory listings.^[2]

Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.^[2]

Chimera has used side loading to place malicious DLLs in memory.^[2]

Chimera has cleared event logs on compromised hosts.^[2]

Chimera has performed file deletion to evade detection.^[1]

Chimera has used a Windows version of the Linuxtouch command to modify the date and time stamp on DLLs.^[2]

Chimera has remotely copied tools and malware onto targeted systems.^[1]

Chimera has copied tools between compromised hosts using SMB.^[2]

Chimera has usedfsutil fsinfo drives,systeminfo, andvssadmin list shadows for system information including shadow volumes and drive information.^[2]

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.^[1]

Chimera's malware has altered the NTLM authentication program on domain controllers to allowChimera to login without a valid credential.^[1]

Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.^[2]

Chimera has used direct Windows system calls by leveraging Dumpert.^[1]

Chimera has used theget -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.^[2]

Chimera has usednet share andnet view to identify network shares of interest.^[2]

Chimera has encoded PowerShell commands.^[1]

Chimera has obtained and used tools such asBloodHound,Cobalt Strike,Mimikatz, andPsExec.^[1][2]

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.^[1]Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users viamsadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.^[2]

Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.^[2]

Chimera has usednet localgroup administrators to identify accounts with local administrative rights.^[2]

Chimera has usedtasklist to enumerate processes.^[2]

Chimera has encapsulatedCobalt Strike's C2 protocol in DNS and HTTPS.^[2]

Chimera has queried Registry keys usingreg query \\HKU\\SOFTWARE\Microsoft\Terminal Server Client\Servers andreg query \\HKU\\Software\Microsoft\Windows\CurrentVersion\Internet Settings.^[2]

Chimera has used RDP to access targeted systems.^[1]

Chimera has used Windows admin shares to move laterally.^[1][2]

Chimera has used WinRM for lateral movement.^[2]

Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.^[2]

Chimera has used scheduled tasks to invoke Cobalt Strike including through batch scriptschtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st and to maintain persistence.^[1][2]

Chimera has usedipconfig,Ping, andtracert to enumerate the IP address and network environment and settings of the local host.^[2]

Chimera has usednetstat -ano | findstr EST to discover network connections.^[2]

Chimera has used thequser command to show currently logged on users.^[2]

Chimera has usednet start andnet use for system service discovery.^[2]

Chimera has usedPsExec to deploy beacons on compromised systems.^[2]

Chimera has usedtime /t andnet time \ip/hostname for system time discovery.^[2]

Chimera has dumped password hashes for use in pass the hash authentication attacks.^[2]

Chimera has used a valid account to maintain persistence via scheduled task.^[1]

Chimera has used compromised domain accounts to gain access to the target environment.^[2]

Chimera has used WMIC to execute remote commands.^[1][2]